Articles in this section

Vulnerability CVE-2026-9256

Gilson Siqueira
Updated
kb: technical kb: security

Situation

A critical security vulnerability (CVE-2026-9256) has been identified affecting the ngx_http_rewrite_module.

Impact

An unauthenticated remote attacker can exploit this vulnerability by sending a single crafted HTTP request, causing a heap buffer overflow in the NGINX worker process.

Call to action

The fix is included in nginx 1.30.1, shipped via the following Plesk hotfixes:

  • Plesk 18.0.78 Hotfix 2: released May 26, 2026
  • Plesk 18.0.77 Hotfix 4: released May 27, 2026

 Updating to either hotfix above fully remediates CVE-2026-9256.

Full release details are available in the Plesk change log: https://docs.plesk.com/release-notes/obsidian/change-log/

Was this article helpful?

Comments

1 comment
Date Votes
  • Avatar
    Monika Lara

    CVE‑2026‑9256 is a serious NGINX flaw, but applying the latest Plesk hotfixes (18.0.78 HF2 or 18.0.77 HF4) fully resolves it—urgent patching is essential to prevent remote exploitation. 

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    www aarpmembership com

    0

Please sign in to leave a comment.